Author: Benjamin D. Thomas
for GnuPG, cvs, rsync, screen, and ethereal. The distributors include Conectiva,
Fedora, Gentoo, Immunix, Mandrake, Red Hat, and Slackware.
Data integrity has never
been more important. A few weeks ago, several Debian servers were compromised.
Soon after that, it was reported that the Gentoo rsync server was also compromised.
Although these incidents appear to be under control, something catastrophic
could have happened. Suppose malicious code was planted on the Debian or Gentoo
servers. Later, users wishing to install or update their operating systems downloaded
and executed this code. Sooner or later, it could have resulted in thousands
of vulnerable systems across the Internet.
One problem that we are
faced with today is trusting the code that we execute. How can we ensure that
it comes from the correct source? When applying security patches, how do we
know that this comes from the distributor and not a rouge source? A helpful
solution is to use MD5 checksums. Briefly, MD5 (message- digest algorithm) is
the most widely used hashing algorithm. With this, it is reasonable to assume
that the code you wish to execute came from the source in which you trust. For
example, if I needed to send a friend a binary, I may also choose to send a
MD5 checksum. (d1ccac94dadcf1686f6692719845991c) With this, the friend can verify
the integrity of the binary that I sent. In Linux and most other operating systems,
to generate a MD5 checksum, the command ‘md5sum filename(s)‘ is used.
When applying security
patches, it is important to check the integrity of the patches that are downloaded.
When downloading security patches, it is important to check the source of where
the download is coming from, and also verify the file(s) with ‘md5sum’. This
week, there is a Red Hat GnuPG
advisory and patch. If you are patching a Red Hat server, after downloading
the files, the MD5 checksums can be checked against the ones found in the advisory.
e1f31f4a07ebb5b4040f8f6ca3816cc4
9/en/os/SRPMS/gnupg-1.2.1-9.src.rpm
604a2fb5b809ec99280871f46507f4a1 9/en/os/i386/gnupg-1.2.1-9.i386.rpm
If they differ with those generated on your machine, there is an integrity problem.
Either the code, or the hash was published wrong and it should be investigated.
Checking MD5s does not absolutely guarantee data integrity because they could
have also been altered. However, because the MD5 hash values and the code are
distributed independently, it can give a reasonable assurance that the code
can be trusted. Checking a MD5 will only take several seconds and will provide
another level of assurance.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity
Feature Extras:
Guardian
Digital Launches the First Secure Small Business Internet Productivity Solution
– Guardian Digital, the world’s premier open source Internet security company,
announced the availability of Internet Productivity Suite, a comprehensive
productivity and security management system. Focused on the increasing requirements
of small and medium organizations, this cohesive and highly-secure suite of
applications combine to protect users from Internet threats while providing
the features necessary to operate a complete Internet presence.OpenVPN:
An Introduction and Interview with Founder, James Yonan
– In this article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.R00ting
The Hacker
– Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]
| Distribution: | Conectiva | ||
| 12/9/2003 | GnuPG | ||
| signing key vulnerability Phong Nguyen discovered[2] a vulnerability (CAN-2003-0971[3]) in the way |
|||
| Distribution: | Fedora | ||
| 12/11/2003 | GnuPG | ||
| Signing key vulnerability Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal |
|||
| Distribution: | Gentoo | ||
| 12/11/2003 | cvs | ||
| Unauthorized access vulnerability This release fixes a security issue with no known exploits that could cause |
|||
| 12/12/2003 | app-crypt/gnupg Multiple vulnerabilities |
||
| Unauthorized access vulnerability Two flaws have been found in GnuPG 1.2.3 including a format string vulnerability |
|||
| Distribution: | Immunix | ||
| 12/8/2003 | rsync | ||
| Heap overflow vulnerability The rsync team has alerted us to a remotely exploitable heap overflow that |
|||
| Distribution: | Mandrake | ||
| 12/8/2003 | cvs | ||
| Unauthorized access vulnerability A vulnerability was discovered in the CVS server |
|||
| 12/8/2003 | screen | ||
| Buffer overflow vulnerability A vulnerability was discovered and fixed in screen by Timo Sirainen who |
|||
| 12/11/2003 | cvs | ||
| Unauthorized access vulnerability (correction) The previous updates had an incorrect temporary directory hard-coded in |
|||
| 12/11/2003 | ethereal | ||
| Multiple vulnerabilities A number of vulnerabilities were discovered in ethereal that, if exploited, |
|||
| Distribution: | Red Hat |
||
| 12/11/2003 | GnuPG | ||
| Signing key vulnerability Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal |
|||
| Distribution: | Slackware | ||
| 12/11/2003 | cvs | ||
| Unauthorized access vulnerability A security problem which could allow an attacker to create directories and |
|||
Category:
- Security
